The Dyn cybersecurity breach of October 21, 2016 saw multiple denial-of-service attacks target the domain name system provider which, it turned out, supports internet platforms across Europe and North America. Victims included Twitter, Paypal, Spotify, CNN and the New York Times, as Mirai malware triggered look-up requests from tens of millions of IP addresses. Printers, cameras, home gateways and even baby monitors conspired to load attacks in 1.2 terabit per second waves.
The maritime sector is far from immune to the hacking threat. In August 2016, French naval contractor DCNS fell victim to a hack that left the newspaper the Australian holding 22,000 documents detailing the design of a submarine under construction for the Indian Navy, including combat capability. In the same month, US ports reported attacks using an SQL injection flaw to the web-based component of the widely used Navis maritime transportation logistics software suite.
Then, in October 2016, Hewlett-Packard disclosed that a hack of United States Navy records from a sailor’s laptop within its Enterprise Services agreements had allowed access to personal records of more than 134,000 sailors.
“Many in the maritime sector nonetheless still assess the probability of premeditated cyberattacks on shipping as low. This must be one explanation why a recent Coventry University study supported by the CSO [Company Security Officer] Alliance found 100% of participating shipowners saying their crews were given no training in cyber security at all.
“However, in 2017 things are changing fast, as mobile connectivity brings ships at sea into the Internet of Things, not least following the launch of Fleet Xpress from Inmarsat. The hybrid Ka-band/L-band service redefines what is possible in maritime communications, offering consistent, higher bandwidth communications and always-on capability, and enabling advanced business applications and crew connectivity via mobile devices,” says Peter Broadhurst, Senior Vice President Safety and Security at Inmarsat.
As land-based users know, however, freedom to roam the web is just as open to fraudsters as it is to legitimate users. This year has also seen the launch of the ‘Be Cyber Aware at Sea’ campaign by UK maritime cyber security specialist JWC International, which we at Inmarsat are actively supporting and has attracted support from The Standard Club, North P & I Club and insurance broker Integro.
Yves Vandenborn, The Standard Club Director of Loss Prevention, says: “This emerging threat is very real and current. Technology on ships continues to advance and so do the challenges that arise as a result. Educating crew and spreading awareness is the first step in fighting cybercrime at sea.”
The sentiments and the ‘Be Aware’ campaign are warmly welcomed. Inmarsat recently ring-fenced maritime security as a dedicated area of expertise within Safety Services, with a team of nine cyber specialists.
Inmarsat is developing an end-to-end cyber security solution, which “includes a technical answer to report and prevent attacks or malware on a ship, but also offers a programme of awareness, risk assessments and the training that drives best practice procedures”, Broadhurst says. Part of the cohesive approach sees Inmarsat seeking to include its cyber security capabilities in a scheme to upgrade its network and infrastructure accreditation in line with ISO27001.
In a world where half of online traffic is automated and an entire black market supplies hackers with tools to breach corporate security, Broadhurst is nonetheless keen to keep shipping’s cyber threat in proportion. “I think there are cyber companies out there now who have made their mark with the financial institutions and are looking to other verticals; superficially, they can make an impression by predicting doom and gloom on the cyber threat to shipping,” he says.
Inmarsat, by contrast, is drawing on 35 years of maritime experience, as well as a long track record as a supplier for government and defence clients, to concentrate on where threats are really going to come from, says Broadhurst. “It is time to introduce maturity into maritime security.”
Only Inmarsat will be able to offer a fully managed end-to-end service, Broadhurst says. “Other offerings we have seen and those we are aware of that are under development address part of the threat, or part of the management requirement, but only Inmarsat’s approach to threat management is all-inclusive.”
Broadhurst adds that the fully managed approach will be critical. An individual ship’s vulnerability to cyberattack may only be exposed when its departure from or arrival at a port is denied, for example because loading information is not shown correctly. Ransomware is a “huge phenomenon”, Broadhurst states, but shipowners may still be willing to consider buying their way out. “The owner may think, if the computer fails, the best solution is to go out and get another one because landing the cargo is the imperative. In the new era of ship connectivity, those days are over.”
Although ships can be carrying high-value cargoes, many individual vessels do not have large amounts of valuable data onboard; their attraction for hackers is that they offer a way into a company’s corporate system. “The reality is likely to be that the systems are under attack because they are identified as IP addresses by hackers who are looking for any weaknesses to see what they can get their hands on, and not because they are ships or shipboard systems,” says Broadhurst.
Inmarsat is working within a strategic alliance with Singtel to use capability available through the Singaporean telecoms company’s Trustwave subsidiary. Shipboard tests of a maritime UTM (unified threat management) system from Inmarsat are currently underway, and the full launch is envisaged later in 2017. The Inmarsat solution will be embedded in all Fleet Xpress hardware going forward, as an option which can be switched on or off by the operator as required. In the future, the same capability will be extended to FleetBroadband, Broadhurst says.
The technology will be supported through a network of already established security operations centres, Broadhurst continues. “Owners will be able to get a view of what is going on at both the ship and the fleet level, and track causes behind any security compromises, whether they are due to attacks or the presence of malware on board. We also see the system’s use as the basis for improving training and achieving the best practice that blocks threats coming from malware.”
Broadhurst believes the maritime satellite company is taking the initiative at a critical time for shipping. “The ISO has been talking about maritime IT cyber standards but it is two to three years away, while the IMO is developing guidelines,” he says. “We are at a place where everyone realises that there is a threat, but that realisation actually emphasises that shipping is a fragmented industry. As the launch of new guidelines by BIMCO aimed at helping shipping secure itself against the threat of cyberattackers shows, however, there are many in the industry who are wide awake to the threat.”
Maritime Cyber Security Myth-Busting is one of three key Inmarsat events scheduled to coincide with London International Shipping Week 2017. The session, to be held at Inmarsat Global HQ in London on 13 September, will include a briefing on the cyber security threat facing shipping and the roles training, technology and global support have in addressing the different elements of that threat.
“A main priority for Inmarsat in the first part of 2017 is to engage owners in dialogue on the vulnerabilities of the bridge, cargo management and propulsion monitoring systems that interface with shoreside networks, and explain their options when it comes to protecting themselves against cyber incidents,” concludes Broadhurst.